If You’re Breached, You May Be Facing Two Battles


According to an arstechnica article Monday, August 24, a federal appeals court ruled that the Federal Trade Commission (FTC) can now sue a company that employs poor IT security practices.  This resulted from a lawsuit that the FTC filed against the Wyndham Worldwide Corporation who suffered three breaches from 2008 to 2009. (click here to see FTC vs Wyndham)

FTC Chairwoman Edith Ramierz wrote in a statement to Ars, “Today’s Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data. It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”

What could this mean to control system community?

This means we can no longer sit back and use the excuses “that’s the way it has always been done” or “so what if someone turns an air handler off” or “nobody cares about hacking a control system”.  If the hack occurs through a BAS to customer data, not only could you be liable to consumers, the FTC could come after you as well.

This is not the only action by the FTC.  According to an article on Security Week the agency has settled more than 50 cases so far.  Given the federal appeals court ruling this week, the FTC authority in such matters have been reaffirmed.  Lawsuit such as these will likely increase.

As system integrators, building owner/operators, vendors, and manufacturers we need to step our OT security practices.  IT and OT are converging more and more everyday and lines are becoming less obvious. And rightfully so. We have to shoulder our share of the responsibility or we could be in the cross hairs of the FTC as well.

There is a credit card company that uses the phrase “what’s in your wallet”.  Maybe we should start asking our selves “what’s in our budget” and add review and upgrade of our IT/OT infrastructure.

What You Always Wanted to Know About BACnet (… but were Afraid to Ask)

Although this video is a little bit dated, it contains a lot of vital information and critical content for those in the awareness and knowledge gathering phases of the cyber security “human patching” process (Gordy). At ShmooCon 2013, Brad Bowers‘ BACnet Attack Framework presentation “How To Own A Building: Exploiting the Physical World With Bacnet” brings to light the vulnerabilities of one of the most standard communication protocols used in the operational technology side of the HVAC and Building Automation industries. For those interested in learning more about Cyber Security, plan to attend the Cyber Security Summit for Operational Technology, Buildings, and Facilities, March 21-23, 2016, at the Georgia Tech Research Institute (GTRI) in Atlanta, Georgia.

Published on Mar 21, 2013
For more information and to download the video visit: http://bit.ly/shmoocon2013
Playlist ShmooCon 2013: http://bit.ly/Shmoo13

2nd Annual Demand Response World Forum 2015, October 6-8 in Costa Mesa, CA,

Screen Shot 2015-08-06 at 12.31.55 PMUtilities around the world are under increasing pressure to maximize energy efficiency, control load, and integrate distributed energy resources. These factors plus a changing regulatory environment are driving new requirements for network resiliency, flexibility, and power quality — all of which impact the traditional utility business case. For utilities to thrive in this changing market, they must embrace greater network agility and work with customers to maximize value for all stakeholders in the value chain.

The 2nd Annual Demand Response World Forum 2015, October 6-8 in Costa Mesa, CA, brings together professionals from around the world to explore the latest demand response and network control strategies for meeting the changing energy landscape of the 21st Century. Technology innovators and business leaders will discuss how to enable an integrated and flexible network that is responsive to a wide range of distributed energy resources, marketplace entities, and customer energy demand and generation.

Click here for list of 2015 Speakers.

Register Now!

Cyber Security Terms and Definitions – Part 2

20111201 cyberThe list below is a continuation of the series Cyber Security Terms and Definitions. Some of the terms you may have heard or probably will hear sometime in the near future.

I am not sure how many of these I need to do past this point because it can get into some areas that you will probably not run into. If you have terms or topics you want to take a deeper dive into, let me know and either I will answer it or have some of the cyber security experts I know post response to it.

Blacklist – This is a list of known bad sites and/or IP addresses. For instance, once a point of origin has been identified as a source of SPAM email, this site/IP is put into a blacklist. There are subscription services that have a broad list of blacklisted sites/IPs that you can add into you security profile, but it can also be sites/IPs that you have identified and put into your firewalls.

I have also run into to situations where a site legitimate site/IP has ended up in a blacklist simply because the blacklist service could not confirm it was a good site/IP.

Whitelist – This can be tricky… Unlike the blacklist where you leave yourself open to allow anything that is not on the blacklist, the whitelist approach says I will not allow anything unless it is on the whitelist. If you setup your security scheme this way, it will increase your IT maintenance time because every time someone needs to go to a site/IP that is not on the list it must be added by hand, one at time. It is safer, but is more time consuming.

Phishing – Whether you realize it or not, you have probably already been a victim of a phishing attack. Most of us remember the Uganda (I think Uganda… could have been Ethiopia… I digress) email that said all you need to do was put $1,000 in a bank account and you would magically get, oh I don’t know, $100,000 for your time and trouble. This was a form of phishing.

Phishing today is much more sophisticated. You might receive an email saying “AT&T – (“Your Online Bill is Ready”). If you click it could take you to a site that even looks like AT&T. The link that you see may be “AT&T Bill”, the URL (web address) that you don’t see may be something like http://att.billing.biz. The site would ask you to enter your account name and password to review your bill. If you do this, they now have your AT&T credentials. Another thing that might happen by clicking the link is a malicious program could be installed on your machine to log your keystrokes. There other things that might occur, but suffice it to say if you get an email and you are not 100% sure of its point of origin, delete or forward to your IT staff for review.

You can also do some investigating yourself. In the example above the link was “AT&T Bill”. If you hover over the link (DO NOT CLICK) a pop up will show you the web address it is pointing to. If it has http://www.att.com or http://www.att.net, it is legit. If it is any other address… DELETE IT!

Spear Phishing – Spear phishing is aimed at specific people and/or group of people where plain ole phishing is mass emailing with no particular target to snare anyone who clicks the link.

This type of attack is well thought out and planned. The spear phisher will learn as much as they can about you and/or your company so that when they craft their email is has a high degree of legitimacy and familiarity to the recipient. The agenda for this type of attack may be to pierce a company’s firewall to gain access to specific information that you and/or company possess. Once in, this “hole” in your firewall will probably remain undetected for days, weeks, or months allowing the bad guys to come and go as they please.

Pharming – This is a website that is designed to appear legit in order to get you to enter sensitive information such as passwords, account numbers, Social Security numbers, etc. This more than likely the site that a phishing email will take you to if you click it.

Social Engineering – A psychological attack used by cyber attackers to deceive their victims into taking an action that will place the victim at risk. For example, cyber attackers may trick you into revealing your password or fool you into installing malicious software on your computer. They often do this by pretending to be someone you know or trust, such as a bank, company or even a friend.

Spoofing – I mentioned in Phishing above that you may see “AT&T Bill” when in reality the web address was something like http://att.billing.biz. This is a form of spoofing. In other words this is a message that appears to have a legitimate point of origin, but in reality does not.

Spoofing can also occur in text and phone calls. Text can appear to come from a legitimate source such as a friend of yours. The same applies to phone calls.

Cyberspace – Hmmm…? This could go in several directions.

If you look online you can get a lot of explanations which basically mean about the same thing. If you want a definition… Merriam Webster doesn’t give you a lot to go on. According MW, they say this is the Full Definition of CYBER SPACE…“the online world of computer networks and especially the Internet”.

I’m just going to say if something is connected and remotely available, it is in cyberspace. Therefore, cyberspace is a virtual environment that connected devices live in.

Encryption – This one can get deep, but we won’t go there. Basically what this means when data (email, user credentials, etc.) leaves the source to travel over the web, it is in a “cocoon” of sorts and the receiver of the information has a “key” to unlock the cocoon to see what is in it.

Just for fun I asked www. Merriam-Webster.com what she said and this is what I got… “encrypt: to change (information) from one form to another especially to hide its meaning.

Exploit – In some respects it is what it is. What I mean is the application of the word is the same whether you are talking about people or things. The technical explanation in cyberland is code that is designed to take advantage of a vulnerability. An exploit is designed to give an attacker the ability to execute additional malicious programs on the compromised system or to provide unauthorized access to affected data or application.

Malware (Virus, Worm, Trojan, Spyware) – The explanation of this term best described by SANS/Securing the Human (http://www.securingthehuman.org/resources/security-terms).

Malware stands for ‘malicious software’. It is any type of code or program cyber attackers use to perform malicious actions. Traditionally there have been different types of malware based on their capabilities and means of propagation, as we have listed below. However these technical distinctions are no longer relevant as modern malware combines the characteristics from each of these in a single program.

  • Virus: A type of malware that spreads by infecting other files, rather than existing in a standalone manner. Viruses often, though not always, usually spread through human interaction, such as opening an infected file or application.)
  • Worm: A type of malware that can propagate automatically, typically without requiring any human interaction for it to spread. Worms often spread across networks, though can also infect systems through other means, such as USB keys. An example of a worm is Conficker, which infected millions of computer systems starting in 2008 and is still active today.
  • Conficker: The origin of the name Conficker is thought to be a combination of the English term “configure” and the German pejorative term Ficker.[12] Microsoft analyst Joshua Phillips gives an alternate interpretation of the name, describing it as a rearrangement of portions of the domain name trafficconverter.biz[13] (with the letter k, not found in the domain name, added as in “trafficker”, to avoid a “soft” c sound) which was used by early versions of Conficker to download updates. (ref – https://en.wikipedia.org/wiki/Conficker).
  • Trojan: A shortened form of “Trojan Horse”, this type of malware appears to have a legitimate or at least benign use, but masks a hidden sinister function. For example, you may download and install a free screensaver which actually works well as a screensaver. But that software could also be malicious, it will infect your computer once you install it.
  • Spyware: A type of malware that is designed to spy on the victim’s activities, capturing sensitive data such as the person’s passwords, online shopping, and screen contents. One popular type of spyware, a keylogger, is optimized for logging the victim’s keyboard activity and transmitting the captured information to the remote attacker.

If you have comments or questions feel free to post them here or contact me directly at fred.gordy@smartcore.com

Wearable Technology in the HVAC Industry: Just Around the Bend. Explore the World of AWE

Wearable-technology(Photo Credit: procore.com blog) While an increasing concerted effort to grow the HVAC industry young is under way, the need for immediate competent presence (ICP) won’t let HVAC wait. Wearable technology, especially Smart Glasses adapted for the HVAC/Systems Integration markets, may extend the existing talent pool well enough to serve as the necessary interim measure.

The sheer scarcity of human resources available and the relatively long learning curve and apprentice phase needed to provide unassisted smart HVAC services requires the use of wearable HVAC-oriented technology as soon as it becomes available. Customers will expect the use of wearable technology solutions to ensure that their needs are being met. And as the favorable shift of economic, social, and technological forces continue to reduce the barriers of entry, imminent use of wearable technology in the HVAC industry, is just around the bend.

aweAugmented World ExpoTM (AWE) is the world’s largest conference and expo for professionals focused on making the world more interactive – featuring technologies such as Augmented Reality, Wearable Computing, Smart Glasses, Gesture and Sensors devices, and The Internet of Things.

Now in its 6th year, AWE is again assembling the top innovators – from the hottest startups to Fortune 500 – to showcase the best augmented world experiences in all aspects of life and work: from entertainment and brand engagement, to enterprise and industrial, urban and architecture, education and training, automotive and navigation, government, and commerce.
AWE 2014 was the largest ever exposition of Augmented Reality and Wearable Technology with over 200 demos, 150 speakers, and nearly 2000 attendees!

AWE 2015 is poised to set a new record and draw 3000 attendees from all over the world: a mix of CEOs, CTOs, designers, developers, creative agencies, futurists, analysts, investors, and top press – and offer a fantastic opportunity to learn, inspire, partner, and experience first hand the most exciting industry of our times.

Trane Engineers Newsletter Live: Applying Variable Refrigerant Flow

trane_logo During our most recent ControlTalk NOW, we discussed the future impact the Variable Refrigerant Flow technology is likely to make in our HVAC industry, and how it may effect the after-market sales of today’s HVAC controls distributor. During our search for more relevant information, we came across this informative “Trane Engineers Newsletter Live: Applying Variable Refrigerant Flow” post on You Tube. This outstanding 88 minute video tells the whole VRF story. Published on September 30, 2014, this program presented by Trane applications engineers is a comprehensive discussion about some of the challenges when applying a VRF system — such as complying with ASHRAE Standards 15 and 90.1, meeting the ventilation requirements of ASHRAE Standard.

Caution: Disruption Ahead! Data Sent to Cloud (Not to BMS) — Daikin Applied Intelligent Equipment

daikinThe Daikin-Intel disruption bell tolled rather loudly and clearly at the June 2014 Realcom/IBcon show in Las Vegas. Daikin, one of the world’s largest and most progressive equipment manufacturers, had already rolled out their Rebel Rooftop line, which put them in the pole position (kinda), because merging equipment and controls by utilizing the potency of IoT and new disruptive technology is great and does offer additional value to Daikin’s customers.

Daikin Applied Executive VP, Kevin Facinelli’s video says it all! Yet, for the savvy controls contractor or systems integrator, this poses a challenge. Daikin’s equipment brings intercommunication between equipment, building integration, and the benefits of cloud analytics — via Intel’s Intelligent Gateway — that really seems to do it all, and securely. But! The data (and integration business) doesn’t go through the building BMS network. Hmm, comments, please.

Additional Info: The Intelligent Equipment solution provides building owners the ability to have 24/7 real-time access to the building information and manage operations in a way that was previously unattainable. Daikin Applied products can automatically inform a support organization before they break down so customer service can move from a reactive to a preventative service model.

The Intelligent Equipment solution allows building owners, managers and technicians to have access to the same building information, on the same platform. This capability provides the opportunity for the key members in building management to coordinate their efforts at a higher level.

Ken Sinclair’s January 2015 Edition of Automated Buildings: Auto’s Autodidacticism

automatedbuildings Another great edition of Automated Buildings is now available! The January, 2015 edition introduces AB’s editor Ken Sinclair’s critical evaluation on how self-learning is rapidly becoming such a necessary and essential tool for the HVAC. In 2011, Seth Godin declared that the internet freed us all from the tyranny of being selected. That it was time to select yourself. We are seeing this self-selection tenet in full motion and experiencing the impact that self-selection has already had on many industries — that have lost their once inalienable gate-keeper rights, with the music industry’s barriers falling the hardest and the fastest. Ken Sinclair proposes, on a very serious upbeat, that IoT will benefically accelerate the “Autodidacticism” or self-education within our HVAC industry and how future IoT tools may be the solutions needed to capture and preserve HVAC knowledge and experience for those willing, and driven by necessity, to teach themselves.

Ken says he likes the word “autodidacticism” because, “I love that this word contains these three words Auto…… Did…… and Act. This provides us an easy way to remember this unusual word that is becoming our future.” Anyone who know Ken well enough, knows that Auto is his nickname. Now, that’s some interesting coincidence.

The January, 2015, edition of automatedbuildings.com is a great read, full of industry insight from the likes of Jim Sinopoli, John Petze, Therese Sullivan, and many others — as well as the earnest encouragement to attend the free education sessions planned at AHR Expo 2015 in Chicago. It is a great way to keep up with, and on top of, the growing theme of self-education. Please drop in and join us.

CTN’S Smart Building Tip of the Week: Accruent’s Facility 360 — Become a Driver of Success

accruent Convert your facility from a cost center to a strategic contributor. Great information from Accruent on how facilities management teams can play a more strategic role in organizations.

7 Ways to Save Time, Costs, and Energy: Download White Paper.

In a world where you must find ways to “do more with less,” finding ways to cut costs can be challenging – and time consuming.

Here at Accruent, we know your time is short in supply and high on demand. That’s why we recommend ONE thing you can do in just 15 minutes to transform your facilities: read this white paper and learn seven easy ways to transform your facilities department into a strategic driver for success.

With the right software partner and processes in place, you can cut your maintenance costs by 35%. You can reduce the time spent scheduling and managing preventive maintenance procedures by 40%, not to mention cut the time required to enter PM work orders by 85%.

Automated Building’s December Theme: “Creating Your Collaboration”

automatedbuildings Special note from Ken Sinclair: The December issue is Automated Buildings’ AHRExpo 2015 Chicago preview. Editorial excerpt: “Our December theme ‘Creating your Collaboration’ started with my puzzling with the process of how industry knowledge gets past on. AHRExpo is the annual event where we present our free education sessions to the industry. This is our 16th year of presenting these sessions and hosting the third annual Connection Community Collaboratory meeting. Online Collaboration is how today’s education occurs.

Education is not an affair of “telling and being told” but an active process; I am a poor presenter but a good connector of concepts and resources for the active process. As a connector of concepts and resources I need to be questioned by those seeking knowledge to be of use. My value is not the knowledge that I can share, but the knowledge I can connect folks to so they can self-teach themselves their way. I am but a catalyst in the process of learning.

I am still struggling with the best way to transfer the industry dumps of information to incoming practitioners of our industry. We came to call this “The Dinosaur Dump” when we dropped 20 to 30 years of industry experience on some poor incoming practitioners who did not even ask one question…..smile.” Read complete editorial!